cancel
Showing results for 
Search instead for 
Did you mean: 

Logs of deleted files

 
SOLVED
Go to solution
Abhik Ray
Occasional Visitor

Logs of deleted files

Hi,

I want details of who deleted a particular file. Is there any system log which stores the same ??
Is there any way such information can be obtained ??

Regards
Abhik Ray
7 REPLIES
James R. Ferguson
Acclaimed Contributor

Re: Logs of deleted files

Hi:

No. You *might* examine the '.sh_history' file(s). File deletion is allowed/disallowed by the permissions (write) of the *dirctory* in which a file resides. A sticky bit on the directory will prohibit everyone but the owner (or root) from removing a file.

Regards!

...JRF...
OldSchool
Honored Contributor

Re: Logs of deleted files

not by default. you might be able to track it if you enable auditing, but I don't know for sure.

another alternative would be a "wrapper" script inplace of the standard "rm". you could use that to "roll your own" logs.

something like "powerbroker" (commercial software) might also be of use, but at a cost.

the wrapper should be fairly easily implemented.....
Fabian Briseño
Esteemed Contributor

Re: Logs of deleted files

Hello Abhik.

I dont know the exact answer to your questions but.

you can start to check /etc/wtmp, this file keeps a log of who has logged in to your system

It wouldn't hurt to check /var/adm/syslog/syslog.log either

Also check if something in your crontab file is not scheduled to delete files.


Hope this helps.
Knowledge is power.
Abhik Ray
Occasional Visitor

Re: Logs of deleted files

Thanks for your replies.

Can you please tell me how (and where) do i check the 'sh_history' files.

I checked /var/adm/syslog/syslog.log but found no info related to deletion of the specific file.

Thanks and regards
Abhik Ray
James R. Ferguson
Acclaimed Contributor
Solution

Re: Logs of deleted files

HI (again):

> Can you please tell me how (and where) do i check the 'sh_history' files.

Assuming that you are using the Posix (default) shell:

# more ~/.sh_history

...where '~' is the HOME directory of any user.

> I checked /var/adm/syslog/syslog.log but found no info related to deletion of the specific file.

You won't as noted originally. Unix does exactly what it is told and silently if there isn't anything worthwhile saying.

Regards!

...JRF...
Abhik Ray
Occasional Visitor

Re: Logs of deleted files

ok .. so without a predefined wrapper in place,, it is impossible to trace activities of other users??
Dennis Handly
Acclaimed Contributor

Re: Logs of deleted files

>so without a predefined wrapper in place, it is impossible to trace activities of other users?

Right. Either wrappers or auditing.